One issue may be that you are only applying network service rules, and not application service rules, in your IP policy. For example, FTP appears in the L7 signatures as three application services and one network service:

What is interesting is that the IP firewall policy default action should be catching the FTP requests and dropping them.